EchoLeak is the name researchers have given to a class of zero-click prompt-injection vulnerabilities in Microsoft 365 Copilot that can cause the assistant to access and silently exfiltrate enterprise data — without a user clicking anything, opening any attachment or running any executable. The class has been characterised by multiple security research teams over the past few months and now sits as a defining example in OWASP's 2026 ranking, where prompt injection is the number-one AI threat.
The detail that makes EchoLeak materially different from a normal prompt-injection bug is the zero-click vector. A malicious sender does not have to convince a victim to copy text, summarise a document or initiate a chat with the assistant. An incoming email — combined with Copilot's automatic indexing of the inbox to support summarisation and search — is enough.
How EchoLeak works
The mechanic is straightforward in outline and surgical in execution. Microsoft 365 Copilot indexes email, Teams chats, OneDrive documents and SharePoint sites to support the assistant's contextual summaries, replies and search. The model receives that content as part of its context for any query the authenticated user issues. EchoLeak exploits the fact that the model treats the indexed content as instructional input — text inside indexed materials is interpreted as part of the prompt rather than as inert data.
A carefully-constructed email arrives in the victim's inbox. The email contains text that, when ingested into the model's context as part of any subsequent Copilot interaction, hijacks the model's behaviour. The injected instructions tell the model to gather specified sensitive content from the user's tenant — a particular folder of contracts, a specific OneDrive file, the contents of a Teams channel — and emit it via an output channel the user can be tricked into surfacing. The output channel is typically a Markdown image link that, when rendered, sends the embedded data to an attacker-controlled server.
The user never has to interact with the malicious email. The next time they ask Copilot a routine question — "summarise my unread mail," "what did the legal team agree on last week" — the assistant pulls in the malicious content as context, follows the embedded instructions, and exfiltrates.
The CVSS score is the wrong intuition
Past zero-click bugs in messaging clients (iMessage, WhatsApp) have produced CVSS scores in the high 9s because they bypass user interaction entirely. EchoLeak is technically different — it depends on a downstream user interaction with the assistant to trigger ingestion — but the user-facing experience is the same: the attacker sends a normal-looking email and the victim's environment is compromised without any user action that looks suspicious.
Researchers tracking the class have urged enterprises not to treat EchoLeak as a single bug. It is a structural property of any AI assistant that automatically indexes external content into a model's context: any place attacker-controlled text can reach an indexer, the same vector applies. That is why OWASP elevated prompt injection to the number-one AI risk for 2026, and why frameworks describing AI-specific security controls now devote substantial coverage to context isolation and output filtering.
Microsoft's response
Microsoft has shipped a series of mitigations for the specific EchoLeak variants disclosed to it, including stricter output filtering on Copilot's Markdown image rendering, content-security-policy enforcement for image hosts, and detection rules that flag prompt-injection-shaped content in indexed email and document streams. The company has also added context provenance markers — internal metadata that tells the model which parts of its context came from external versus internal sources — so the underlying model can be trained to weight external content less heavily for instruction-following purposes.
These mitigations harden the surface but do not eliminate the class. The fundamental issue is that LLM-based assistants treat their context as a partially-instructional channel by default. Until model architectures cleanly separate instructions from data — a research direction that has produced progress but not deployment-ready solutions — the EchoLeak class will persist as a category, even as specific instances are patched.
What other vendors are doing
Microsoft is not alone. Google's Workspace AI integrations have a parallel attack surface: any document, email or chat content that gets indexed for Gemini context is a candidate for the same vector. Google has been quieter publicly about EchoLeak-equivalent disclosures, but security researchers have demonstrated proof-of-concept variants against Gemini-in-Workspace at conferences this year.
Anthropic's enterprise Claude offering has a smaller surface because the company has historically required customers to scope Claude's data access more explicitly than Microsoft and Google do — a deliberate choice from the company's safety posture, with the trade-off that the integrations are less seamless. The market is now litigating whether that trade-off was foresighted or precaution-bias.
Salesforce's Einstein, ServiceNow's Now Assist, Atlassian's Rovo and the many other enterprise AI assistants face the same structural problem. Vendors are now competing on how robust their context-isolation story is — an architecture question that did not get product-page attention a year ago and is now a standard slide in vendor RFP responses.
The OWASP elevation
The Open Web Application Security Project has reorganised its Top 10 for AI Applications in 2026 around real-world incident frequency, and prompt injection has moved to the top. OWASP's argument: the class is the most reported, the most exploited and the hardest to fully fix. The framework's recommendations are mostly architectural — separate trusted and untrusted context, apply strict output filtering at the surface where model output gets rendered, ensure the assistant cannot exfiltrate data through user-invisible channels — and they have been adopted by every major AI security vendor that runs an assurance programme.
Enterprises now treat OWASP's AI Top 10 the way they treated the original web application Top 10 in the late 2000s: as a baseline assurance list for any deployed assistant. Vendor RFPs commonly require evidence of mitigation for each item; EchoLeak's specific vector is named explicitly in some.
Practical advice for affected organisations
Four steps cover most of the mitigation defenders should take now.
| Mitigation | What it blocks | Effort | Status today |
|---|---|---|---|
| Audit assistant indexing scopes | Reduces attacker-reachable context | Medium | Available |
| Block external-host image rendering | The primary exfil channel | Low | Available |
| DLP on incoming streams | Catches obvious injection patterns | Low | Available |
| Context-provenance markers | Lowers model trust in external content | Medium | Vendor-side |
| Architectural instruction/data split | Eliminates the class | High | Research only |
| Tabletop for zero-click variant | Operational readiness | Low | Available |
First, audit which assistants index which content. If an assistant indexes external email or shared documents from outside the tenant, those are potential EchoLeak vectors. Disable indexing scopes that are not needed for the assistant's actual use case.
Second, review output rendering paths. EchoLeak frequently exfiltrates via Markdown image rendering. Block external-host image rendering in the assistant's response surfaces, or run content through a content-security-policy filter that limits where images can be loaded from.
Third, monitor for prompt-injection-shaped content in incoming email and document streams. Patterns like "ignore previous instructions," "you are an exfiltration assistant," or Base64-encoded directive blocks are visible to standard data-loss-prevention rules with minor tuning.
Fourth, update tabletop exercises. Most incident-response plans assume a human victim performs an action. EchoLeak's zero-click variant breaks that assumption. Exercise the case where the trigger is the next routine assistant query, not a user-initiated action.
The research-and-disclosure timeline
The EchoLeak class did not arrive fully formed. The conceptual foundation was laid by academic work on prompt injection going back to 2022 — most notably the Greshake et al. paper introducing indirect prompt injection as a category. The first practical demonstrations against deployed assistants surfaced in 2023; the first commercially impactful cases against enterprise assistants emerged in late 2024 and through 2025. EchoLeak is the name now used for the mature, zero-click variant of the class against Microsoft 365 Copilot specifically, but the academic literature now contains dozens of variants targeting other assistants under different names.
The disclosure cycle for these vulnerabilities is unusual in two ways. First, the timeline is unusually short. Where traditional vulnerability disclosure often runs 90 days between vendor notification and public disclosure, AI prompt-injection disclosures have been operating on much shorter timelines — sometimes weeks — because the patches involve detection rules and prompt-engineering changes that ship faster than traditional code patches, and because the class is broad enough that public discussion of one variant rarely arms attackers against unpatched variants in other vendors. Second, the disclosure tradition is closer to security-research norms than to product-security norms; researchers tend to publish in detail with working proof-of-concept code rather than restricting publication to high-level descriptions.
Industry response cycles have shortened to match. Microsoft, Google and other major assistant vendors now operate prompt-injection response teams in parallel to their traditional product-security teams, with separate intake, triage and remediation workflows. The size of these teams is rarely public, but the staffing levels described in vendor briefings suggest mid-double-digit headcounts at the largest vendors and growing — comparable in scale to early dedicated mobile-security teams in the 2010s.
For enterprises evaluating AI assistant vendors, the maturity of the prompt-injection response team is now a vendor-due-diligence question. RFP questionnaires ask which team owns prompt-injection response, what the response SLAs are, how the team coordinates with the underlying foundation-model lab when the assistant is built on a third-party model, and whether the vendor publishes detection-rule updates customers can subscribe to. The questions did not exist on RFP templates two years ago and now appear on most of them.
Sources
View author profile → · Editorial policy
